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Abstract. The decision-Diffie-Hellman problem (DDH) is a central compu- 
tational problem in cryptography. It is known that the Weil and Tate pairings 
can be used to solve many DDH problems on elliptic curves. Distortion maps 
are an important tool for solving DDH problems using pairings and it is known 
that distortion maps exist for all supersingular elliptic curves. We present an 
algorithm to construct suitable distortion maps. The algorithm is efficient on 
the curves usable in practice, and hence all DDH problems on these curves are 
easy. We also discuss the issue of which DDH problems on ordinary curves are 
easy. 



1. Introduction 

It is well-known that the Weil and Tate pairings make many decision-Diffie- 
Hellman (DDH) problems on elliptic curves easy. This observation is behind ex- 
citing new developments in pairing-based cryptography. This paper studies the 
question of which DDH problems are easy and which are not necessarily easy. First 
we recall some definitions. 

Decision Diffie-Hellman problem (DDH): Let G be a cyclic group of prime 
order r written additively. The DDH problem is to distinguish the two distributions 
in G 4 

Di = {(P,aP,bP,abP):PeG,0<a,b<r} and 
D 2 = {{P,aP,bP,cP) : P e G, <a,b,c<r}. 

Here D\ is the set of valid Diffie-Hellman-tuples and D2 — G 4 . By 'distinguish' 
we mean there is an algorithm which takes as input an element of G 4 and outputs 
"valid" or "invalid", such that if the input is chosen with probability 1/2 from 
each of D\ and D2 — D± then the output is correct with probability significantly 
more than 1/2. (for precise definitions see Boneh 0]). The DDH problem for a 
family of groups is said to be hard if there is no polynomial time algorithm which 
distinguishes the two distributions. A widely believed assumption in cryptography 
is that there exist families of groups for which the DDH is problem is hard. 

We now give a generalisation of the DDH problem which, following Boneh, Lynn 
and Shacham we call co-DDH. 

Generalised Decision Diffie-Hellman problem (co-DDH): Let Gi and G2 

be two cyclic groups of prime order r. The co-DDH problem is to distinguish the 
two distributions in G\ x G\ 

{(P,aP,Q,aQ) : P G Gi, Q G G 2) <a<r} and 
{{P, aP, Q, cQ):P€ G U Q G G 2 , < a, c < r}. 
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The goal of this article is to determine which DDH and co-DDH problems on 
elliptic curves are made easy by using pairings. A common technique is to use 
distortion maps (endomorphisms which map certain subgroups of E[r] to different 
subgroups) to ensure that the required pairing values are non-trivial. Theorem 5 
of Verheul [55] states that a suitable distortion map always exists for subgroups of 
supersingular curves. This result alone does not imply that all DDH problems can 
be solved efficiently, since we require an explicit description of the map. 

In Sections |21 and [31 we show that the trace map handles almost all cases. In 
Section we give an alternative proof of Theorem 5 of (restricting to the 
remaining cases) which is more constructive. In Section we show that a certain 
cndomorphism v '—d suffices, and we give an algorithm to construct this distortion 
map. The complexity analysis of our algorithm proves that all DDH problems are 
easy on the supersingular elliptic curves which could potentially be used in practice. 
Sections[7]and|S]illustrate the theory in concrete situations. In particular, Section[7| 
lists some well-known examples and shows that they always suffice in practice. 
Section|Hlgives examples of our method in the case where the distortion map cannot 
be an automorphism of the curve. Some of the examples in Sections {7\ and [S] show 
that our algorithm is not optimal, in the sense that it does not necessarily produce 
an endomorphism of minimal degree. 

Our results may have applications as they mean that cryptographic protocols 
can use random points P, Q on a supersingular elliptic curve and there is always a 
modified pairing so that e(P, Q) ^ 1. 

In the case of ordinary elliptic curves there are two hard DDH subgroups remain- 
ing. Understanding whether these are truly hard is a challenge to any interested 
person. 

2. Elliptic curves 

We will be concerned with elliptic curves E over finite fields F g such that r is a 
large prime dividing #E(¥ q ) and such that gcd(r, q) = 1. The embedding degree 
is the smallest positive integer k such that r | (q k — 1). We restrict attention 
to elliptic curves such that k is not large (say, bounded by a fixed polynomial in 
log(g)). Hence, one can efficiently compute in E(¥ q k). We always assume that k is 
coprime to r (this is always true since r is a large prime and k is small). 

We will repeatedly make use of the following properties of the Weil pairing (see 
Silverman H3 Section III.8). 

Lemma 2.1. Let E be an elliptic curve over ¥ q and let P,Q € E(¥ q ) be points of 
prime order r. Then 

(1) e r (P,P) = l. 

(2) If P and Q generate E[r] then e r (P,Q) ^ 1. 

(3) R e (P) if and only ife r (P,R) = 1. 

Proof. The first statement is the well-known alternating property of the Weil pair- 
ing. 

Property 2 follows since if e r (P, Q) = 1 then e r (P, aP + bQ) = 1 for all a, b G Z 
which contradicts non-degeneracy of the Weil pairing. 

If R = aP + bQ then e r (P, R) = e r (P,Q) b and this is 1 if and only if b = 
(mod r). This proves property 3. □ 
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Remark 2.1. Property 3 shows that the subgroup membership problem for any 
cyclic subgroup G C E(¥ q ) is easily solved using the Weil pairing if the embedding 
degree is small. Note that property 3 does not necessarily hold for the Tate pairing 
(for details on the Tate pairing see Frey and Ruck or |15| ). 

The above properties clearly imply that all genuine co-DDH problems are easy. 
This result is already well-known, but for emphasis we state it as a proposition. 

Proposition 2.2. Let E be an elliptic curve over ¥ q and let r be a prime. Suppose 
that E[r] C E(¥ q k) where k is polynomial in log(q). Let Gi,G 2 be cyclic subgroups 
of order r in E(¥ q k) such that G\ ^ G 2 . Then all co-DDH problems in G\, G2 can 
be solved in polynomial time. 

Proof. The fact Gi ^ G 2 implies Gi n G 2 = {0 E }- Hence for all P E G u Q e G 2 , 
with P, Q 7^ Oe we have {P, Q} forming a basis for E[r] and so by property (2), 
e r {P,Q) 

The co-DDH problem on a tuple (Pi, P 2 , Qi, Q 2 ) is therefore solved by testing 
whether 

e r (Pi,Q 2 ) = e r (P 2 ,Qi). 

□ 

Remark 2.2. As mentioned above, this result is not always true for the Tate 
pairing. However, in most practical cases the Tate pairing can be used, and will 
give a more efficient solution (see |2l ll4llTK] for details). 

For the remainder of the paper we will be concerned with solving DDH problems. 
Clearly, the Weil pairing cannot directly be used to solve these problems. 

When k = 1 and £7(F g )[r] is a cyclic group of order r then, due to the non- 
degeneracy of the Tate pairing, the DDH problem in this group can be solved in 
polynomial time. 

The case k = 1 and P(F g )[r] non-cyclic is more interesting (the curve E is ordi- 
nary whenever r is large). This case has been considered by Joux and Nguyen 
The Weil and Tate pairings can have very different behaviour in this case (for ex- 
ample, there are cases where the Tate pairing always gives non-trivial self pairings 
and cases where the Tate pairing never gives non-trivial self pairings). Theorem 7 
of [23 shows that many DDH problems can be solved in this case (using the Weil 
pairing with a suitable distortion map) . 

In practice, the case k > 1 is of greater interest. Hence, for the remainder of the 
paper we make the following assumption: 

The embedding degree is assumed to be k > 2. 

3. Trace maps 

The trace map was proposed as a distortion map by Boneh et al in the full 
versions of [2] and |y . Since ¥ q k /¥ q is a Galois extension we can define, for any 
point P e E(¥ qk ), 

fc-i 

Tr(P) = J>*(P) 

i=0 
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where n is the g-power Frobenius map. Equivalently, if P = [x, y) then 

fc-i 

Tr(P) 

i=0 

The trace map is a group homomorphism and if P £ E{¥ q ) then Tr(P) = kP. 
Let P,Q£ E(¥ q k)[r}. Define the function e(P,Q) to be either the Weil pairing 

e(P,Q) = e r (P,Q) or the Tate pairing e(P,Q) = (P,Q)i q ^ 1 ^ r (see, for example, 
[11) . |15p. If P € E(¥ q ) and k > 1 then, since F ? fc is the extension of F g of minimal 
degree which contains non-trivial rth roots of unity, it follows that e(P, P) = 1 for 
the Tate pairing as well as the Weil pairing. 

If r | #E(¥ q ) then the eigenvalues of ir on P(F g )[r] are 1 and q. Hence there is 
a basis {P, Q} for E[r] such that 7r(P) = P and ir(Q) = qQ. Now, {P, Q} forms 
a basis for the r-torsion and so, by the same arguments as part 2 of Lemma |2. II 
e(P, Q) 7^ 1 for both Weil and Tate pairings. 

Boneh observed (see 0, 53 ) that the eigenspace (Q) of points with eigenvalue 
q is equal to the set of all points R £ E(¥ q k)[r] such that Tr(P) = 0^;. Boneh has 
also shown that e(Q,Q) = 1 for the Tate pairing as well as the Weil pairing (see 
\lb\). We call (Q) the trace zero subgroup and denote it by T . 

Lemma 3.1. Let E be an elliptic curve over ¥ q . Let r be a large prime such that 
r | #E(¥ q ) and r | (q k — 1). Define the basis {P, Q} as the eigenbasis for Frobenius 
as above. Let S = aP + bQ £ E(¥ q k) with ab ^= and let G = (S) . Then the DDH 
problem in G can be solved in polynomial time. 

Proof. Consider (S, uS, vS, wS). Since Tr(S) = kaP ^ E and b ^ we have 
e(S,Tr(S)) ^ 1. Hence, the DDH tuple (S,uS,vS,wS) gives rise to the co-DDH 
tuple 

(S,uS,Tt(vS) = vTr(S),Tr(wS) = wTr(S)) 
and, as we have seen, all co-DDH problems can be solved using the Weil pairing. □ 

Hence, only two potentially hard DDH problems remain, namely the subgroup 
(P) which is the set of r-torsion points which are defined over the field F g and the 
trace zero subgroup T C E(¥ q k)[r]. Equivalently, these are the two eigenspaces in 
E(¥ q k)[r] for the g-power Frobenius map. In the ordinary case these problems seem 
to be hard. For the remainder of the paper we consider the supersingular case. 

4. Review of quaternion algebras 

We devote this section to fixing the notation and briefly reviewing the theory of 
quaternion algebras that we need in the sequel. 

A quaternion algebra over a field if is a central simple algebra of rank 4 over K. 

A quaternion algebra B is division if B M2(K), or equivalently if B* — B \ {0}. 

If char (if) 7^ 2, every quaternion algebra is of the form 

/m, n\ 2 2 

B = y — J := K + Ki + Kj + Kij, i = m, j = n, ij = —ji 

for some m, n £ K* . The conjugation map on B is a + bi + cj + dij = a — bi — 
cj — dij and the reduced trace and norm on B are Tr(a) = a + a and n(a) = a ■ a 
for any a £ B, respectively. 

We next present two different but equivalent versions of the Skolem-Noether 
Theorem (see |23)- 
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Proposition 4.1. Let B be a quaternion algebra over a field K . 

(1) Let a : B — > B be an automorphism of B over K. Then o~(a) = 7~ 1 a7 for 
some 7 G B* . 

(2) Let L/K be a quadratic field extension of K. Let (f>,ip : L B be two 
different immersions of L into B over K . Then there exists 7 G B* such 
that <fi(a) — 7~ 1 ?/'(ck)7 for all a G L. 

Let R be a Dedekind ring and let K be its field of fractions. Let B be a quaternion 
algebra over K . We say that a place v < 00 of K ramifies in B if B eg) K v is a 
division algebra over the completion K v of K at v. A classical theorem (see PP, 
|30|. p. 74) states that there is a finite and even number of places of K that ramify 
in B. Conversely, for any finite set {v%, ...,V2 r } of places of K of even cardinality, 
there exists a unique quaternion algebra up to isomorphism which ramifies exactly 
at the places m. 

The reduced discriminant of B is defined to be the product D R = Jl p of all 
finite prime ideals of R ramifying in B. 

An element a in B is integral over R if Tr(a), n(a) G i?. Unlike number fields, 
the set of integral elements in B is not a subring of B (for an example see page 20 
of HI)- 

An order TZ in B over i? is a subring of B of rank 4 over R. We say that TZ is 
maximal if it is not properly contained in any other order of B. A left projective 
ideal I of a maximal order TZ is a locally principal sub-7?.-module of i? of rank 4 
over R. Two projective left ideals /, J oi TZ are linearly equivalent if I — J ■ a 
for some a e B* . We let P\cr(TZ) denote the set of linear equivalence classes of 
left projective ideals of TZ over R. The set Pic#(7?.) is finite and its cardinality 
hft(B) — #PiCfl(7^) is independent of the choice of TZ. 

The conjugation class of an order TZ over R is the set of orders [TZ] = {'f~ 1 TZj : 
7 G B*}, which has infinite cardinality. There is however a finite number tf{(B) of 
conjugation classes of maximal orders in B over R. 

Proposition 4.2. Let K be the field of fractions of a Dedekind ring R and let B 
be a quaternion algebra over R. Then 

(1) h R {B)>t R {B). 

(2) If K is a local field, then h R (B) = t R (B) = 1. 

(3) If K is a number field and 9JI is any ideal of K , there exists an integral 
ideal m of R, (a?T,ai) = 1, such that h R[ j_](B) = t R{ x.]{B) = 1. 

Proof. The first two statements can be found in PU], p. 26 and Ch. II respec- 
tively. As for the third, let TZ be a maximal order of B and let {Ji, Ih R (B)} DC 
a full set representatives of projective left ideals in Pic R (TZ). It follows from 24 , 
p. 5 that Ii can be chosen such that VI = n(7i) • ... • n{I hn ^) is coprime to £DT. 
Since Ii are invertible in we have that h R ^(B) = 1. By (1) we also have 

= l. □ 

Let B = := K + Ki + Kj + Kij, i 2 = to, j 2 = n, ij = -ji and let TZ be a 

maximal order in B over R. Two questions that naturally arise in several contexts 
and that we encounter in the proof of Theorem 15 . 21 are the following: 

(1) Do there exist elements tt, ip G TZ such that it 2 = to, ip 2 = n, irtp — —ipir? 

(2) Fix it E TZ such that tt 2 = to (if there is any). Does there exist tp G TZ such 
that iff 2 — n, nip — —ipir? 
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These questions were considered in the appendix to 125] • We state here a partial 
answer which will suffice for our purposes. 

Proposition 4.3. Let notation be as above. 

(1) Iftji(B) = 1, then there exist tt, ip £ TZ such that ir 2 — m,ip 2 = n,Trtp = 

— IpTT. 

(2) Fix n e K such that tt 2 = m. If t R (B) = 1 and O = R[s/m\ C K(^fm) 
is locally a discrete valuation ring at the places v j Db of class number 
h(0) — 1, then there exists ip £ TZ such that ip 2 — n,irip = —ipir. 

Proof. Part (1) follows from |25|. Proposition 5.1. As for (2), let £(m) denote 
the set of embeddings i : R[y/m\ <— > TZ over R up to conjugation by elements in the 
normalizer group Norms* (TZ). Since tt 6 TZ, £(m) is non empty. Eichler proved 
that £ (in) is a finite set. More precisely, we have from our hypothesis and |3U| . 
Theorem 3.1 on p. 43 and Theorem 5.11 on p. 92, that in fact fp£(m) = 1. It now 
follows from Proposition 5.7 and its remark below that there exists ip € TZ 
such that ip 2 = n , Kip = —ipir. □ 

Let B be a quaternion algebra over Q. We say that B is definite if oo ramifies in 
B, that is, if B eg) K = H is the algebra of real Hamilton quaternions. Equivalently, 
B is definite if and only if Db is the product of an odd number of primes. Otherwise 
B (gi M = M2(K) and we say that B is indefinite. 

If B is indefinite then hz(B) = t%(B) = 1. Otherwise, hi(B) and ti(B) can 
explicitly be computed as in [3D;, p. 152. When Db = p is prime, the class number 
h%(B) is the number of isomorphism classes of supersingular elliptic curves over F p 
and tz(B) is the number of isomorphism classes of supersingular elliptic curves up 
to Gal(Fp/F p )-conjugation. 

Let Q v be a local completion of Q at a place v < oo. The Hilbert symbol over 
Q„ is a symmetric bilinear pairing 

( , )„:q;/q; 2 xq;/q; 2 ^{±i} 

which may be defined as (m,n) v = 1 if the quaternion algebra (^pp-) — M2(Q„) 
and (m,n) v = —1 otherwise. 

In practice, the Hilbert symbol is computed as follows. For v = oo, (m, n)oo = — 1 
if and only if m < and n < 0. For any odd prime p, (m, n) p can be computed by 
using the multiplicative bilinearity of the pairing and the following three properties: 

• (-P,P)p = 1 

• (rn, n) p = 1 if p \ 2mn 

• (to,p) p = (y) is the Legendre quadratic symbol for any p \ to. 
Finally, the Hilbert symbol at 2 follows from the equality nu( m > n )i> = 

5. Supersingular curves and distortion maps 

In the next sections we restrict attention to supersingular curves. As is known 
(see, for example, [201 Theorem V.3.1 and J7j), an elliptic curve E over a finite 
field ¥ q is supersingular if and only if End— (E) £g> Q is a quaternion algebra over 
Q of reduced discriminant p. 

Vcrheul [5S] was the first to propose using non-rational endomorphisms to solve 
DDH problems. Let P € E(¥ q k ) be a point of order r. If ip 6 End(E) is such that 
ip(P) & (P) then {P,ip(P)} is a generating set for E[r] and so e r (P,ip(P)) ^ 1. 
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It follows that DDH problems in (P) can be solved. Verheul called such endomor- 
phisms distortion maps. 

Originally, distortion maps were exclusively used to map points defined over ¥ q 
to points defined over ¥ q k . In other words, the focus had been on the 1-eigenspace 
for the Frobenius map on E[r]. Theorem 5 of Verheul (2H| states that a suitable 
distortion map exists for every point P € E[r] when E is supersingular. The proof 
of Theorem 5 of 29 is not constructive, and it seems difficult to obtain an algorithm 
for finding a distortion map using that approach. 

In Theorem 15.21 below we obtain an analogous result to that in using com- 
pletely different techniques. We can then give in Section [S] an algorithm for con- 
structing a distortion map for any supersingular curve. 

Lemma 5.1. Let E be a supersingular elliptic curve over ¥ q and let ip be an 
endomorphism. Let P be an element of one of the eigenspaces of the q-power 
Frobenius map n. Then ip maps P outside (P) if and only if 

P ^ ker(^7r — 7r0). 

Proof. Suppose 7r(P) = [m]P for some m (indeed, either m = 1 or m = q). Now, 
ip(P) also in the eigenspace means -k^{P) = {m]ip(P) — ip({m]P) — ipw(P). In 
other words, P € ker(^7r — 7n/>). The converse is similar. □ 

Theorem 5.2. Let E be a supersingular curve over ¥ q , q = p a . Suppose k > 1 
and let r \ #E(¥ q ), r ^ p, r > 3, be a prime. Let it be the q-power Frobenius map 
and let P € E(¥ q k) be in a tt -eigenspace. Then there exists a distortion map ip on 
E which maps P outside (P). 

Proof. By Lemma 15.11 to prove the result it is enough to prove that there exists 
ip G End(£') such that r \ deg(nip — ipn). 

Let P{T) = T 2 — tT+q be the characteristic polynomial of the q-power Frobenius 
element n acting on E. Since k > 1, we know (see for example |31] or |15j . Theorem 
1.20) that P(T) is irreducible and so its roots generate a quadratic field of Q. 

The endomorphism ring 1Z = End(-E) is a maximal order in the quaternion 
algebra B p = End(_E) ® Q, which ramifies exactly at p and oo 17 . The ring 
End F<j (£0 is an order in the quadratic field Q(tt) = End Wii (E) <g) Q ~ Q(^i 2 -4q), 
naturally embedded in 1Z. Let ttq = 2tt — t € Q(tv), which satisfies Tr(7To) = and 
n(7T ) = -Til = Aq-t 2 . 

There is a morphism of Q- vector spaces 

c-k . Ep y Bp 

ip I— » ntp — ipir 

with ker(c^) = Q(vr). 

Let s £ Z. We remark that there exists an element ipo G B p such that ip 2 — —s 
and wo^o = — V'o'^o if and only if 

Indeed, one direction is immediate. The other implication follows from the 
Skolem-Noether Theorem: If B p = Q + Qi + Qj + Qij = ( t2 ~Q g, ~ s ), there ex- 
ists 7 € B * with ttq = 7 _1 ^7 and we may take = l~ l 31- 
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Note that since the discriminant of B p is p, condition (f ) for a given s can be 
checked by computing a finite number of local Hilbert symbols. Moreover, since 
Bp ® R is a division algebra, necessarily s > 0. 

Let s € Z be such that (f) holds. By Proposition 14.21 (3) there exists an in- 
teger Nq coprime to r such that Lr i i(B„) = 1. Similarly, there exists an in- 

teger N% coprime to r such that Z[-^-, y/t 2 — 4q] is locally a discrete valuation 
ring at all primes t ^ p and /i(Z[-^-, \Jt 2 — Aq\ ) = 1. Indeed, this is accom- 
plished by considering a system of representatives Ji, ^i l (Q( A / t 2 -4q )) °^ c l asses 
of ideals in the quadratic field Q(\/t 2 — 4q) such that r \ ^q^ t 2 -4q )/q^ i ^ an< ^ 
takingiV 1 =2.nN Q(V ^ )/Q (J l ). 

By Proposition ^. 31 there exists ipo & T^-I n suc ^ tnat = — s anc ^ 7r oV-'o = 
— ipotto- Hence Nipo 6 7?. for some integer iV supported at the primes dividing 
Ao • Ni and thus coprime to r. The endomorphism A?^o will be the distortion map 
we are looking for (this is all assuming that (f) holds). 

Since ir4> Q -ip ir = n ip and Tv(w Q ip Q )- {ir ip Q )ir = (?^)(ir 'ip )-(ir 'il>o)( B ±=±) = 
(t 2 — Aq)ipO: it readily turns out that Im^) = Q ■ ip + Q ■ iroipo and c^(JZ) 2 
c n (Z + Ztt + NZipo + NZttiPo) = (t 2 - Aq)NZ^ + NZtt^q. Moreover, the degree 
of the isogenies (t 2 — 4q)Nipo and Nwoi/jq on E are computed in terms of the reduced 
norm in the quaternion algebra B p as deg((i 2 — 4q)Nipo) — (i 2 — Aq) 2 N 2 n(tpo) = 
(t 2 - Aq) 2 N 2 s and deg(A% V>o) = iV 2 n(7r )n(?/'o) = (4g - i 2 )iV 2 s. Hence, 

deg(7r(iVVo) - Wo)t) = W 2 (4g - t 2 )s 

is coprime to r as desired. 

It remains to give choices of s for which condition (f) is satisfied. According 
to a theorem of Waterhouse jHJ the possible values of the trace of the Frobenius 
endomorphism are t — 0, ±p a / 2 , ±2p a / 2 and ±p( a+i y 2 . Recall that we can exclude 
the value t — ±2p a / 2 because we are assuming k > 1. Hence, the only possible 
prime factors of Aq — t 2 are 2, 3 and p, and in order to prove the claim, it suffices 
to show that B p ~ ( * ~q''~ S ) f° r either s = 1 or for some prime s, s ^ r. 

The following table lists, for each of the possible values of t, a choice of s such 
that condition (f ) holds: 



If t = 0, a is odd, p ^ 1 (mod 4) 


s = 1 


If t = 0, a is odd, p = 1 (mod 4) 


Any prime s = 3 (mod 4) and split in Q(^/— p) 


If i = 0, a is even 


s = p 


If « = ±p^+Vl 2 


s = 1 


If t = ±p a / 2 


s = p 



This table is checked by computing relevant Hilbert symbols. We give details of 
the argument for the first two rows of the table. Assume that t = and a is odd. 
We have that (— Ap a ,— s)e = (—p,—s)t for all primes £ and (— p, — s)g = 1 for all 
finite primes t \ 2p ■ s. Moreover, we have (— p, — s)oo = — 1 if and only if s > 0. 

If p ^ 1 (mod 4), p ^ 2, then (-p,-l) p = (p,-l) p = (^7) = -1. Since we 
have that p and 00 ramify in ( ~ P q~ 1 ) arid the number of ramifying places must 
be even, we have that (— p, —1)2 = 1- Hence ( ~ P q~ 1 ) is the quaternion algebra of 
discriminant p and B p ~ ( ~ P q~ 1 )■ 
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Similarly, if p = 2, it holds that B2 — {—k — )• 

If p = 1 (mod 4) and s is a prime s = 3 (mod 4) and split in Q(\/— p) (he., 
(^) = 1)) thcn = (P)-a)p = (^r) = - 1 and (-p,-s) s = (-p, s) s = 

(^) = 1. Hence B p ~ (^p). 

Note that the Theorem of Cebotarev implies there are infinitely many suitable 
primes s for line two of the table, hence we can always choose one which is not 
divisible by r. 

We leave the checking of the remaining cases of the table above to the reader; 
remember that line three of the table only applies to p — 2 or p = 3 (mod 4), that 
line four of the table only applies to p = 2, 3 and that line five of the table only 
applies when p = 3 or p = 2 (mod 3). 

This completes the proof. □ 

Remark 5.1. It follows from the above proof that Theorem \5.S\ is also valid for 
r = 3 unless p = 3 or t — ±p a / 2 . The statement is valid for r — 2 precisely when 
p ^= 2 and t = ±p a / 2 or when p — 3 and t = ±p( a + 1 )/ 2 , 

6. An algorithm for constructing distortion maps 

The aim of this section is to derive from the proof of Theorem l5 . 2l an algorithm for 
constructing a distortion map on a supersingular curve over a field of characteristic 
P- 

One might expect the first step of such an algorithm to involve computing a basis 
for the endomorphism ring using Kohel's algorithm (which runs in exponential 
time). In fact, we argue that this is not required. Instead we reflect upon how one 
would obtain a usable supersingular elliptic curve. It is known that for all finite 
fields ¥ q there is a supersingular elliptic curve E defined over ¥ q (and in general, 
there will be many non-Fq-isomorphic such curves). We claim that all the curves 
which could potentially be used in practice arise as reductions of CM curves in 
characterstic zero of small class number. 

To justify our claim, consider the following three candidate methods to find a 
supersingular curve over a finite field. 

(1) Using the complex multiplication (CM) method. 

(2) Constructing curves over fields of small characteristic. For example y 2 +y = 
f(x) over F2*™ is always supersingular. 

(3) Choosing random curves over F p or F p 2 and counting points until a super- 
singular curve is found. 

The third method method is not useful as the probability of success is negligible. 
The number of isomorphism classes of supersingular curves over ¥ p is equal to 
h^4p + h^ p (where ho is the class number of the order of discriminant D, and h^ p = 
if p = 1 (mod 4), for details see Gross HZ|)- By the Brauer-Siegel theorem (more 
details below) this number is roughly p 1 ! 2 and so the probability of a randomly 
chosen elliptic curve over ¥ p being supersingular is negligible. Similarly, the number 
of isomorphism classes of supersingular curves over ¥ p 2 is p/12 (see Theorem V.4.1 
(c) of 26 ) and so the probability of a random curve over F p 2 being supersingular 
is negligible. 

The second method restricts attention to a very small number of isomorphism 
classes (and hence j-invariants) . In the example given, the curves all have j = 0. 
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Hence, all these curves can be treated as twists of reductions of curves in charac- 
teristic zero, and these curves can be chosen to be CM curves. Hence the second 
method is essentially a special case of the CM method. 

The CM method works in the following setting. Let E be an elliptic curve 
over a number held F with complex multiplication by an order O in an imaginary 
quadratic held K — Q(v— ~d). Let p be a rational prime which does not split in 
O and let p be a prime of F above p. Then by the Deuring reduction theorem, 
E = E (mod p) is a supersingular elliptic curve over the residue field k of F at p. 
The main step of the CM method is to construct the ring class polynomial of the 
order O (which has degree ho, the class number of the order) and to find a root of 
it in characteristic p. This process has exponential complexity in the class number 
ho and can only be applied in practice when ho is relatively small. 

It would be very interesting to have an alternative construction for supersingular 
curves. This open problem is also raised in Section 4.1 of Verheul |29|. 

Proposition 6.1. Let E/F be an elliptic curve defined over a number field F with 
complex multiplication by an order O of discriminant D in an imaginary quadratic 
field K — Q(\AD). Assume that K <£_ F '. Let p be a prime for which E has good 
and supersingular reduction. Let p be a prime ideal of F above p. Let E over 
k = W p m be the reduction mod p of E. Let ir be the p m -Frobenius map on E. 
Suppose r\#E(¥ p m) is a prime such that r > 3 and r \ pD . 

Let d > be such that \J~^d € O. Let * £ End(E) satisfy * 2 = -d. Let 
ip £ Endf (E) be the reduction mod p of ^S. Then ip is a suitable distortion map 
for points P £ E[r] which lie in a ix-eigenspace. 

Proof. Note that since K F, H = F ■ K is a quadratic extension over F. We 
know by the theory of complex multiplication that the minimal field of definition 
of the endomorphisms of E is H and it follows that, if we let a £ Gal(H/F) be 
a non trivial element, then ^ a = — Let k be the residue field of a prime ideal 
in H above p. The natural Galois action of Gal(H/F) on End^r(£') ® Q descends 
to an action of Gal(k/k) on Endn(S) (g> Q ~ B p . If we let a denote a generator of 
Gal(fc/fc), we have that ip a — —ip due to the compatibility of the Galois action. 

The Galois automorphism a acts on the quaternion algebra B p as an auto- 
morphism a : Bp — * B p . By the Skolem-Noether Theorem, a a = jaj^ 1 for 
some j £ B*, which is uniquely determined as an element of B*/Q*. Since 
ix a = 77T7~ 1 = 7r because ir £ Endfc(_E), we deduce that jit = irj and hence 
7 £ Q(7r). Since ■0 <T = 7i/>7 -1 = —ip, it follows that Tr(7^) = yip + yip = 
—ipy + ipy = yip — ipy = —Tr(y)ip £ Z. Hence Tr(7) = and y — -k in _B*/Q*. 
Thus Trip = —ipir and so ipn — nip = 2ipir is an isogeny of degree 4(4p — t 2 )d. 

Now let P £ E[r] be in a 7r-eigenspace. We apply arguments used in the proof 
of Theorem 15. 21 Since r > 3 and r \pd we have that P £ ker(ipir — mjj). Therefore 
ip(P) is independent from P. □ 

We can now present our algorithm. The input is a supersingular elliptic curve E 
over a finite field ¥ q where q = p m . We also assume that an order O C End(i?) of 
class number ho is specified. Note that by the Brauer-Siegcl theorem (see Theorem 
XVI. 5 of Lang 20 , for non-maximal orders also see Theorem 8.7 of [2]) we have 
that the discriminant Do of O is 0(/i^ e ). The notation Do — 0(/iq +£ ) means that 
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for every e > there is a constant c e , which depends on e, such that Do < c t h 2 +,L 
for all O. 

ALGORITHM 1: Construction of a distortion map on E: 

(1) Let O be an order in End(-E) of class number Kq. Compute the discriminant 
D of O. Hence compute an integer d > of size O(D) such that \/—d € O 
(for example, we can take d = —D). Denote \f— d by fa so that tp is a 
d-isogeny. 

(2) Factor d as ]X=i ^ (where are not necessarily distinct primes). Then ip 
is a composition fa ■ ■ - fa of prime degree isogenies (and each fa will be 
defined over F ? 2 ) . 

(3) Use Galbraith's algorithm to construct a tree of prime degree isogenies 
between j-invariants of supersingular elliptic curves in characteristic p. The 
tree starts with vertex j(E) and the process terminates when this vertex 
is revisited by a non-trivial isogeny. Since we know there is a non-trivial 
isogeny ip of degree d we should select only the primes li as found in step 
(2). 

(4) Construct the isogeny i/j on E explicitly as the composition of isogenies fa. 
Each isogeny fa can be computed from the j-invariants of the corresponding 
elliptic curves using methods of Elkies ^U] an d Velu |57] . Usually it is also 
necessary to construct an additional isomorphism between the image of the 
final isogeny ip n and the elliptic curve E. All these calculations will be 
performed over ¥ q 2 . 

By Proposition l6.il the endomorphism ip will be a suitable distortion map. Hence 
the algorithm is clearly correct. 

We now roughly analyse the complexity of the algorithm. We assume a unit 
cost for operations in the field of definition ¥ q of E. We express the complexity in 
terms of the class number h — ho- For further details of the complexity analysis of 
algorithms like this see Elkies ^H] and Galbraith |12j . 

(1) Step one is essentially trivial. Since D is 0(h 2+e ) the complexity of this 
step is 0{h 2+t ). 

(2) Factorisation can be easily done in time 0(\/d) which is 0(h 1+e ). The 
number n is 0(\og(h)) while the primes themselves are 0(d) = 0(h 2+e ). 

(3) There are n = 0(log(h)) iterations of the process. Each step requires 
computing the l-th modular polynomial $2(2;, y) (which has degree I + 1 in 
each variable and takes 0(l 3 ) operations to compute) and finding the roots 
of $i(j,y) in F 9 2 (which takes 0(l\og(q)) operations). The total cost of 
this stage in the worst case is therefore, 0(log(h)(h 6+e + h 2+e log(g))). The 
space requirement for the tree is 0(\og(h)). 

(4) Finding the path in the tree takes time 0(log(h)). For each Z-isogeny in the 
composition, Elkies' algorithm requires 0(l 3 ) operations and Velu requires 
0(1) operations. Computing the isomorphism is trivial. Hence the total 
cost of explicitly computing the isogeny ip is 0(log(h)h 6+e ) operations. 

To conclude, it is clear that step 3 is the dominant step. The total complexity of 
the algorithm is 0(\og(h)(h 6+e + h 2+e log(g))). Since we can only construct curves 
for which h is bounded by a polynomial function, this is therefore a polynomial 
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k 


Elliptic curve data 


2 


E : y 2 — x 3 + a over F p where p = 2 (mod 3), p > 2 
#E(H p ) — p+ I 

Distortion map (x,y) i— ► (Cs^y) where £f = 1. 


2 


y 2 — x 3 + ax over F p where p = 3 (mod 4) 

w^y^p) = p + J- 

Distortion map (x, y) i— > (— x,iy) where i 2 = — 1. 


3 


E : y 2 = x 3 + a over F p 2 where 

j> = 5 (mod 6) and ci £ ^ P 2 ; ^ ^ is a scjuare which is not a cube. 

#E(¥ p 2)=p 2 -p+1. 

Distortion map (x,y) i— > (j 2 x p ,by p /b p ) 

where a = b 2 (be F p2 ) and 7 e F p e satisfies 7 3 = 6/6*". 


4 


y 2 +y = a; 3 + a; + & over F2 

Distortion map (x, y) 1— > (C 3 x + s 2 , y + (^sx + s) 

where s € F 2 <i satisfies s 2 + (3 s + 1 = 0. 


6 


y 2 = X s + ax + b over F3 . 

Distortion map (a;, y) 1 — ► (a — x, iy) where i € F32 and a G F33 
satisfy i 2 = —1 and a 3 + act — b = 0. 



Table f . Popular distortion maps. 



time algorithm on families of curves which have been constructed in any practical 
setting. 

7. Standard examples 

In the previous sections we showed the existence of non-rational endomorphisms 
ip with a certain property (namely, that iP(tt(Q)) 7^ ""(V'(Q)) f° r points of order 
r which are in a Frobenius eigenspace). In practice there are a small number of 
examples of supersingular curves which are widely used, and popular distortion 
maps are already known in these cases. In this section we recall these familiar 
examples and show that they satisfy the above property. 

Table Ogives the list of curves studied. These curves have been considered by 
several authors (for example, Verheul [2E] and Galbraith |13|). Note that in all 
cases we have j(E) = or 1728. This table does not list all possible variations of 
distortion maps. For instance, Barreto has suggested using 

ip(x,y) = (x + (i,y + ( 3 x + t) 

where t 2 + t = (3 in the case of characteristic 2 and k = 4. 

Proposition 7.1. Let E be a supersingular curve over¥ q from Tabled where q is 
a power of p > 3. Let ir be the q-power Frobenius. Suppose r | fpE(¥ q ) and r > 3. 
Then the distortion map ip listed in the table satisfies r \ deg(-Kip — ipn). 

Proof. Consider first the case when E is the curve y 2 = x 3 + ax over F p with k = 2 
and with the distortion map ip '■ ( x iU) l— * (~ x,iy). Clearly, ip 2 = —1 and this case 
is covered by Proposition 16. II One can also give a direct proof. 

Now consider the case E : y 2 = x 3 + a with k — 2 over F p (p = 2 (mod 3)) and 
with the distortion map ip(x,y) = (Cax,y). In this case we have ip 3 = 1 and so 
Proposition ^, ll does not apply. A variant of Proposition ^, ll which handles this case 
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can be proved, but instead we give the following direct argument. Let Q = (x,y) € 
E[r\. Since r > 3 we have x ^ 0. We have irip(Q) = 7r(C 3 iz;,y) = (( 2 tt(x), Tr{y)) 
while il>ir(Q) = (C37r(a;), 7r(y)) ^ %ip(Q). Clearly, Q ^ ker(Tnp — ipir) and the result 
follows. 

Finally, consider the case k = 3 with E : y 2 = x 3 + a. Since j 2 ^ ¥ p 2 we have 
7r(7 2 ) 7^ 7 2 . The ^-coordinate of ijjir(Q) is J 2 tt(x) while the x-coordinate of TTip(Q) 
is 7r(7 2 x) = 7r(7 2 )7r(a;). Since r > 3 we have x 7^ 0, and so the x-coordinates are 
not equal. The result follows. □ 

Proposition 7.2. Let E be a supersingular curve over¥ q from Tabled where q is 
a power of 2. Let tt be the q-power Frobenius map. Suppose r \ ffE(¥ q ) is such that 
r > 1. Then the distortion map listed in the table satisfies r j deg(7r?/> — tJjtt). 

Proof. The relevant curve is E : y 2 + y — x 3 + x + b with distortion map ip(x, y) = 
((3X + s 2 ,y + C3SX + s) where C| — 1 an d s 2 + (3s + 1 = 0. Since tp 3 = 1 we cannot 
apply Proposition 16 . 1 1 so we give a direct argument. 

If mp(Q) — ipir(Q) then ir 2 ip(Q) — ipir 2 (Q) so it is enough to prove that the latter 
equality does not hold. Suppose q = 2 m where m is odd (otherwise k < 4). Clearly, 
tt 2 fixes F g 2 and so 7r 2 ((3) = £3. Now tt 2 does not fix s 6 F g 4 so, by inspection of 
the minimal polynomial, 7r 2 (s) = s + £3. 

Let Q — (x,y) e E[r\. Then the x-coordinate of tt 2 ^(Q) is tt 2 (Csx + s 2 ) = 
C37r(x 2 ) + s 2 + ( 2 while the x-coordinate of ipn 2 (Q) is C,3ir 2 (x) + s 2 . The result 
follows. □ 

Proposition 7.3. Let E be a supersingular curve over¥ q from Table^where q is 
a power of 3. Let tt be the q-power Frobenius map. Suppose r \ f/=E(¥ q ) and r > 1. 
Then the distortion map i/j listed in the table satisfies r \ deg(7n/> — ipn). 

Proof. Clearly, ip 2 — — 1 and Proposition ^. ll applies (take F to be a cubic extension 
of Q). There is also an easy direct proof. □ 



By Theorem III. 10.1 of |26j there are non-trivial automorphisms only when 
j(E) = or 1728 (in particular, when the endomorphism ring has a subring isomor- 
phic to either Z[i] or ^[£3], both of which are rings with non-trivial units). Hence, 
we cannot expect distortion maps to be automorphisms in all cases. 

Even in the cases j = 0, 1728 we see that the value s — 1 cannot always be taken 
in the proof of Theorem l5.2l This indicates why the k — 3 example in characteristic 
p (with t = p a / 2 ) does not admit an automorphism. 

The aim of this section is to give some examples of these distortion maps. For 
the first example we use Algorithm 1. For the second example we use an ad- hoc 
technique which shows that Algorithm 1 is not optimal. 

8.1. Example: D = —8. This example illustrates Algorithm 1 with the case d = 2. 
The ring 7L\\J— 2] has discriminant D — — 8. The elliptic curve 



has j'-invariant equal to 8000 and its endomorphism ring is isomorphic to Z[V~ 2]. 



We seek a 2-isogeny to a curve with j-invariant also equal to 8000. Consider 
the rational 2-isogeny whose kernel is generated by the 2-torsion point (1,0). The 



8. Distortion maps which are not isomorphisms 



E : y 2 = x 3 + x 2 - 3x + 1 
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equations for this isogeny (found using |27| ) are 

(x, y) .— > ((3x 2 ~2x + 5)/(3(i - 1)), y(x 2 -2x- l)/(x - l) 2 ) 

and the image under this isogeny is the elliptic curve 

E' : y 2 = x 3 - 40x/3 - 448/27. 

The curve E' has j(E') = 8000 but it is not isomorphic to E over Q. There is an 
isomorphism from E' to E over Q(y/—2) given by 

(i,y)K-.(-i/2-l/3,A/4) 

The composition of the 2-isogeny and the isomorphism gives a distortion map 
ip : E — > E which, by ProDOsition l6.il is suitable for our application. This can be 
used for E over F p whenever p is inert in Q(V— 2) (i.e., p = 5, 7 (mod 8)). 

We note that nicer equations in this case are known, see Section 14B of [*H)) 
or EH. 

8.2. Example: D = —7. We consider the CM curve with j-invariant —3375 and 
cndomorphism ring Z[(l + y/—7)/2]. The units of this ring are simply ±1. We 
consider the curve equation (obtained from Cremona's tables [§]) 

E : y 2 + xy = x 3 - x 2 - 2x - 1. 

By Deuring's reduction theorem (see Lang [21] Theorem 12 on page 182) this curve 
has supersingular reduction modulo p whenever p = 7 or (y) = - 1 (i.e., p = 
2, 5, 6 (mod 7)). When E is supersingular modulo p then #E(W p ) — p + 1 and the 
embedding degree is k — 2. 

We seek a non-rational isogeny from E to itself. Since Z[(l + \/—7)/2] contains 
\T^7 we could apply Algorithm 1 to get a 7-isogeny. Instead, we note that Z[(l + 
\J— 7)/2] contains elements of norm 2 and so we should be able to find a 2-isogeny. 

Since the kernel of a 2-isogeny is an element of order 2, we start by finding the 
2-torsion on E in characteristic zero. Recall that a point P = (x, y) has order 2 if 
P = —P and in this case — P = (x, —y — x) hence we require that x = —2y. One 
easily checks that 

E[2] = {0 B , (2, -1), (-2a, a), (-25, a)} 

where a = (5 + \/^7)/16. 

The isogeny coming from (2,-1) is rational, and turns out not to be useful. 
Hence we apply Velu's formulae [2U to construct an isogeny with kernel generated 
by the point (—2a, a). Summarising the results, let 

A± = (-29 - 105V^7)/32 and A 6 = (-849 + 595\Z^7)/128 
and define 

X = x+ (-7 + 21\/^7)/(32a; + 20 + 4 % /^7) 

Y = y-{-7 + 2lV^7)(2x + 2y+(5 + V^7)/8)/(8x + 5 + V^7) 2 , 
Then the map ipi(x,y) = (X,Y) is a 2-isogeny from E to 

E' :Y 2 + XY = X 3 - X 2 + A 4 X + A 6 



where j(E') = -3375 too. 
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It remains to compute an isomorphism from E' to E. Let 



u = 


("!-< 


/=7)/4 


r = 


(11 


/^7)/32 


t = 


(-11 + 


V^7)/64 


s = 


(-5-< 


/=7)/8. 



Then the mapping 02 (AT, Y) = (u 2 X + r, u 3 Y + u 2 sX + t) is an isomorphism from 
E' to £7. 

Defining ip(x,y) = ip2(' l l , i(x,y)) we obtain our distortion map from E to E. In 
practice, it is easier to store the isogenies separately and to compute the distortion 
map by computing the composition. 

Proposition 16. II does not apply to this map, so we give a direct proof that it is 
suitable. Consider a point Q on the reduction of E over ¥ p m (m odd) where p is 
inert in Q(\/— 7). Let tt be the p m -power Frobenius. If Q ^ ker(0) then we show 
that nip(Q) ^ ^tt(Q). The ^-coordinate of the composition of the isogeny and the 
isomorphism is 

-3_+_\/^7 (-63- 35 v /= 7)/16 11 - V=7 
8 X + 8x + 5 + + 32 ' 

Since tt maps \J — 7 £ ¥ q 2 to —\J—1 it is clear that we cannot have inp(Q) = ipix(ff) 
for any point Q except the points in the kernel of "0- 

As noted above, this example shows that Algorithm 1 does not necessarily pro- 
vide an endomorphism of minimal degree. Finally, we note that nicer equations in 
this case are known, see Section 7.2.3 of Q, JH| or [221 

9. Remaining hard problems 

In the ordinary case, Verheul [2H has shown that there are no distortion maps. 
In this case it seems that DDH is hard in both eigenspaces for the Frobenius map. 

To solve the DDH problem in the small field one might try to invert the trace 
map. In fact it is trivial to find pre-images under the trace map (for example, given 
R G E(¥ q ) a pre-image would be but it seem to be difficult to find pre-images 

in a coherent way without using some kind of non-rational group homomorphism. 

It remains an open problem to either show that DDH is easy on ordinary elliptic 
curves in all cases, or to give evidence that the problem is hard in the two cases 
remaining (i.e., the two eigenspaces of Frobenius). 

The generalisation of these results to the case of abelian varieties of higher dimen- 
sion seems to be hard. In particular, our algorithm relies on modular equations to 
compute isogenies, and it is a well-known open problem to extend these techniques 
to the higher-dimensional case. 
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